Exploit Kill Chain

Lockheed Martin seems to be the primary commercial user of the cyber kill chain term and developed a map labeling the cyber kill chain phases as: reconnaissance, weaponization, delivery, exploit, installation, command and control, and actions on objectives.  While this is a useful model, few organizations have the resources of a defense contractor or government intelligence agency.

To give clients an easy method to view the middle aspects of the kill chain, we created a diagram to illustrate different approaches to adding security controls (configuration, process, technology).  The majority of cyber-attacks begin with a phishing email or drive-by/watering hole website.  The chain of events for these types of attacks are very predictable, as are the controls you can put in place to mitigate these attacks.

Threat Kill Chain with Example Controls


This is not meant to be a checklist, and the most important items are configuration/process.  The critical controls to put in place to mitigate the effects of these attacks are:

  • Email security (no executable/archived content allowed)
  • Restricting Internet access (whitelisting allowed categories plus manually adding individual websites is best policy)
  • Pass the Hash protections (see Microsoft guidance for secure O/S configurations and events to monitor)
  • Vulnerability Scanning/Patch Management
  • Secure Network Architecture
  • Application Control/Bit9 (best) or at least host visibility (Carbon Black, Tanium, ECAT, etc.)

This was created using a Chrome application called Gliffy Diagrams that is absolutely free with no strings attached.

If you have feedback or want a copy that can be edited, send an email to [email protected]